[c-nsp] Securing virtual networks
Higham, Josh
jhigham at epri.com
Thu Mar 13 19:12:09 EDT 2008
> From: Nate Carlson [mailto:cisco-nsp at natecarlson.com]
>
> On Thu, 13 Mar 2008, Higham, Josh wrote:
> > What methods are available for making sure that no traffic
> leaks between
> > virtual networks? I am looking at doing some sort of
> virtualization for
> > a small enterprise network (so no software based
> provisioning) and want
> > to either prevent or detect misconfigurations.
>
> What type of virtualization are you talking about? Something like
> VMWare/Xen, or network virtualization?
Network virtualization.
> > If I restrict the address ranges I can use netflow and
> ACLs, but that
> > removes one of the benefits. This isn't a hostile environment, but
> > would include a guest network so malicious attacks are
> possible, along
> > with the obvious virus issues.
>
> OK - so put the guest network off on it's own VLAN, and isolate it.
I know that I can isolate it in a VLAN, but I want to avoid having a
single point of failure. If someone puts a port into the wrong VLAN,
and the user gets a DHCP address (two segregated user access networks,
for example) we might not know until it actually causes a problem by
releasing a virus (or worse, a directed malicious attack).
This is historically the reason for using physical seperation, but
that's no longer viable. I am just wondering if there are any good ways
to protect against user error, or if people just ignore it.
Thanks,
Josh
More information about the cisco-nsp
mailing list